Forums
New posts
Search forums
News
Security News
Technology News
Giveaways
Giveaways, Promotions and Contests
Discounts & Deals
Reviews
Users Reviews
Video Reviews
Support
Windows Malware Removal Help & Support
Inactive Support Threads
Mac Malware Removal Help & Support
Mobile Malware Removal Help & Support
Blog
Log in
Register
What's new
Search
Search titles only
By:
Search titles only
By:
Reply to thread
Menu
Install the app
Install
JavaScript is disabled. For a better experience, please enable JavaScript in your browser before proceeding.
You are using an out of date browser. It may not display this or other websites correctly.
You should upgrade or use an
alternative browser
.
Forums
Software
Security Apps
Hard_Configurator Tools
WHHLight - simplified application control for Windows Home and Pro.
Message
<blockquote data-quote="Andy Ful" data-source="post: 1074499" data-attributes="member: 32260"><p>@[USER=78686]SeriousHoax[/USER],</p><p></p><p><strong><span style="color: rgb(41, 105, 176)">Post updated and edited (10 February 2024).</span></strong></p><p></p><p>I made some tests and confirmed, that in WHHLight the file <strong><span style="color: rgb(184, 49, 47)">on the NTFS drive</span> </strong>can get the OK mark from WDAC ISG as follows:</p><ol> <li data-xf-list-type="ol">The file is executed from the Non-writable location (like most folders in %ProgramFiles%) without SmartScreen backend and ISG reputation.<br /> <span style="color: rgb(41, 105, 176)">The OK mark added in this scenario is only temporary. It can survive the Windows restart, but it is usually updated up to a few hours.</span><br /> <span style="color: rgb(184, 49, 47)"><strong>Files from the writable but whitelisted folder (like user AppData) cannot get the OK mark when executed without the SmartScreen backend and ISG reputation.</strong></span></li> <li data-xf-list-type="ol"><span style="color: rgb(41, 105, 176)">The file is executed and established a positive reputation from ISG without SmartScreen backend.</span></li> <li data-xf-list-type="ol">The file is an application installer downloaded from the Internet (MOTW required), executed, and accepted by SmartScreen. SmartScreen for Explorer must be enabled.</li> <li data-xf-list-type="ol">An application installer (see point 3) writes the file to disk - the executed file inherits a positive reputation from the installer - SmartScreen for Explorer must be enabled.</li> <li data-xf-list-type="ol">The file with the OK mark is <strong><span style="color: rgb(0, 168, 133)">moved</span></strong> from one location to another (the OK mark is moved with the file). The target location can also be writable.</li> </ol><p><strong><span style="color: rgb(41, 105, 176)"><strong>Files with the OK mark are not checked by the ISG for several hours (the local file execution cache is used). </strong></span></strong></p><p><span style="color: rgb(41, 105, 176)"><strong><strong>In scenario 1 (no file reputation), the update of the OK mark is done against the cloud.</strong></strong></span></p><p><span style="color: rgb(41, 105, 176)"><strong><strong>When the positive file reputation is established or inherited, the update of the OK mark is made locally (positive file reputation is stored in the kernel).</strong></strong></span></p><p></p><p>What it means?</p><p>Let's take a folder on the Desktop with a portable application <strong>initially blocked </strong>by WDAC ISG.</p><p>When we move that folder into %ProgramFiles% and <strong>execute the application</strong>, it will be allowed.</p><p>When we move the application folder from %ProgramFiles% back to the Desktop, the application <strong>will be allowed (also after Windows restart, </strong><span style="color: rgb(41, 105, 176)">but not for long</span><strong>)</strong>.</p><p>The above procedure will not work if we use the writable & whitelisted folder instead of %ProgramFiles% (<strong><span style="color: rgb(41, 105, 176)">the application can be blocked in the Desktop subfolder</span></strong>).</p><p></p><p>If the user installed the application with < WDAC > = OFF, the application files did not get the OK mark, <span style="color: rgb(41, 105, 176)">so ISG checks them on execution after enabling WDAC.</span></p><p><strong><span style="color: rgb(41, 105, 176)">For most users, the first execution of applications (after Windows restart) will be checked by WDAC ISG. This can cause some slowdowns when the application cannot establish or inherit a positive reputation.</span></strong></p><p></p><p>Edit</p><p><strong>The above behavior is not a general WDAC feature and depends on the concrete settings I used in the policy file. </strong></p><p></p><p>Edit (11 February 2024)</p><p><strong>The info is related to the setup with Smart App Control set to OFF.</strong></p></blockquote><p></p>
[QUOTE="Andy Ful, post: 1074499, member: 32260"] @[USER=78686]SeriousHoax[/USER], [B][COLOR=rgb(41, 105, 176)]Post updated and edited (10 February 2024).[/COLOR][/B] I made some tests and confirmed, that in WHHLight the file [B][COLOR=rgb(184, 49, 47)]on the NTFS drive[/COLOR] [/B]can get the OK mark from WDAC ISG as follows: [LIST=1] [*]The file is executed from the Non-writable location (like most folders in %ProgramFiles%) without SmartScreen backend and ISG reputation. [COLOR=rgb(41, 105, 176)]The OK mark added in this scenario is only temporary. It can survive the Windows restart, but it is usually updated up to a few hours.[/COLOR] [COLOR=rgb(184, 49, 47)][B]Files from the writable but whitelisted folder (like user AppData) cannot get the OK mark when executed without the SmartScreen backend and ISG reputation.[/B][/COLOR] [*][COLOR=rgb(41, 105, 176)]The file is executed and established a positive reputation from ISG without SmartScreen backend.[/COLOR] [*]The file is an application installer downloaded from the Internet (MOTW required), executed, and accepted by SmartScreen. SmartScreen for Explorer must be enabled. [*]An application installer (see point 3) writes the file to disk - the executed file inherits a positive reputation from the installer - SmartScreen for Explorer must be enabled. [*]The file with the OK mark is [B][COLOR=rgb(0, 168, 133)]moved[/COLOR][/B] from one location to another (the OK mark is moved with the file). The target location can also be writable. [/LIST] [B][COLOR=rgb(41, 105, 176)][B]Files with the OK mark are not checked by the ISG for several hours (the local file execution cache is used). [/B][/COLOR][/B] [COLOR=rgb(41, 105, 176)][B][B]In scenario 1 (no file reputation), the update of the OK mark is done against the cloud. When the positive file reputation is established or inherited, the update of the OK mark is made locally (positive file reputation is stored in the kernel).[/B][/B][/COLOR] What it means? Let's take a folder on the Desktop with a portable application [B]initially blocked [/B]by WDAC ISG. When we move that folder into %ProgramFiles% and [B]execute the application[/B], it will be allowed. When we move the application folder from %ProgramFiles% back to the Desktop, the application [B]will be allowed (also after Windows restart, [/B][COLOR=rgb(41, 105, 176)]but not for long[/COLOR][B])[/B]. The above procedure will not work if we use the writable & whitelisted folder instead of %ProgramFiles% ([B][COLOR=rgb(41, 105, 176)]the application can be blocked in the Desktop subfolder[/COLOR][/B]). If the user installed the application with < WDAC > = OFF, the application files did not get the OK mark, [COLOR=rgb(41, 105, 176)]so ISG checks them on execution after enabling WDAC.[/COLOR] [B][COLOR=rgb(41, 105, 176)]For most users, the first execution of applications (after Windows restart) will be checked by WDAC ISG. This can cause some slowdowns when the application cannot establish or inherit a positive reputation.[/COLOR][/B] Edit [B]The above behavior is not a general WDAC feature and depends on the concrete settings I used in the policy file. [/B] Edit (11 February 2024) [B]The info is related to the setup with Smart App Control set to OFF.[/B] [/QUOTE]
Insert quotes…
Verification
Post reply
Top
